10 Simple Steps to Secure & Protect your WordPress Blog

As of the beginning of 2009 there were approximately
133 Million blogs online. This is a pretty large market and also the perfect playground for unscrupulous persons who live for spamming, scamming and just creating malicious programs that can seriously compromise and disable unsuspecting sites. As wordpress blog owners, we need to do everything possible to ensure that our sites are never exploited.

Here are 10 very simple steps, tools and tips to ensure that your blog can withstand malicious attacks and not be overrun with spam.

1. Use the Login Lockdown Plugin

Hackers can easily crack your password and other login credentials by using Brute Force Attacks (Click here for a definition). This plugin adds an extra security feature to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range. This plugin can be downloaded from Bad Neighborhood

2. Delete Unused Plugins

Always ensure to delete unused plugins as these can provide loop holes that can be easily exploited.

3. Secure the /wp-admin/ Directory using .htaccess

I found this one on google’s Matt Cutts’ blog. Secure your /wp-admin/ directory by using a .htaccess file to allow access from specific IP addresses only. Create a new .htaccess file, which you can place directly in /wp-admin/.htaccess.

Replace the 111.111.111.111 with the IPs you would like to whitelist. This file says that the IP address 111.111.111.111 (and the other IP addresses whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. The ‘#’ lines are just notes and can be changed to suit your need.

4. WordPress Security Scanner Plugin

Install this plugin to help detect any loop holes that may exist in your database and blog files. It provides a report on what needs to be done to prevent attacks. This one is very useful and can be downloaded here: WP-Security-Scan

5. Limited Blog Registration Access

If your blog accepts registration, ensure that a user cannot immediately register and receive an administrative access. To change this, go to your Settings option in the wordpress dashboard, select General. Then change the New User Default Role to Contributor. This can easily be changed as the need arise.User privileges can also be assigned using the Role-Manager plugin.

6. Change Your Login Name

The default wordpress username is admin and hackers will always try to infiltrate using this default. So make it harder for them by changing it.

In your WordPress dashboard, go to Users and set up a new user account. Give this new user administrator role. Log out and log in again with the new user account.

Go to Users again. This time, check the box beside admin and press Delete. When it asks for deletion confirmation, select the “Attribute all posts and links to:” and select your new username from the dropdown bar. This will transfer all the posts to your new user account. Press Confirm Deletion

7. Use a Very Strong Password

Ensure that you use a strong password that is difficult for others to guess. Use a combination of digits, special characters and upper/lower case letters to form your password.

8. Always Upgrade to the Latest WordPress Version

The latest version of WordPress always contains bug fixes for any security vulnerabilities, therefore it is very important to keep your blog updated at all times. The latest version at the time of this post is 2.9.2 and can be downloaded here.

9. Install the Akismet Plugin

Once installed, Akismet checks your comments against the Akismet web service to see if they look like spam or not and prevents them from being published. Spam is stored in a separate folder where you can review all that is caught. This can be downloaded from Akismet.com

10. Backup Your WordPress Database

There is a free plugin that can schedule backups of your database to reduce the risk of loss of data. This can be downloaded here: WP-Database-Backup

Yeah, I know its a pretty tedious ToDo list but invest the time to secure a robust wordpress blog. It will cost 100 times more to recover from a malicious attack. Think about down-time, lost revenue, loss of trust from your readers, hiring a professional to get rid of malicious code, loss of information, loss of integrity and the list goes on forever.

Are you doing what it takes to secure and protect your presence online? If not, now is the time to do so. If you have any additional ideas on how to protect a wordpress blog please leave a comment to let us know.

Author

Robyn-Dale Samuda has a passion for the web and loves offering assistance and inspiration whenever possible and does so through Sam's Web Guide. He was a Writer for the popular blog, Blogging Pro and is the CEO of the web design firm Creative Engine Ltd.. Follow him on twitter Here

Nice tips.. We just migrated from TypePad to WordPress, so I’m still not to savvy with WP… I’m going to be implementing some of these immediately. Thanks bro…
.-= BrianJ | Online Business Blogger´s last blog ..How To Get Your Bulk Email Read =-.

Excellent post…thank you so much. WordPress vulnerabilities are something I have been concerned about but wasn’t quite sure how I could make my site more secure.
.-= Toya´s last blog ..Elmo: The Hardest Working Black man in Show Biz =-.

Nice tips Robyn. Here’s a killer one that few know about. Since some 2 or 3 versions ago, The WordPress config system has changed. You can therefore move your config.php file somewhere else on your host, e.g: a level higher than your current www folder. The WordPress core runs on all the host to search for this file and then connects the whole thing in one go. This prevents the blog/site from being hacked through the config.php file.
.-= Sachin @ Web Design Mauritius´s last blog ..Nobody needs web designers. =-.

Excellent post, Sam.
There are a couple of enhancements I can incorporate, like the .htaccess and the security scanner plugin. Top resources, thanks for the article. It’s always nice to pick up a new tip or two.
.-= Jimi Jones´s last blog ..Blog Maintenance – Keeping Your Blog in A-1 Condition =-.

Great tips Sam! A client of mine recently got hacked. The spammer added bad links to the footer of her WP blog. Google grey barred her site until we could figure our what was wrong. It’s important to keep your site secure. It’s not just about your site itself – such issues can affect how search engines treat you.
.-= Keller Hawthorne´s last blog ..How Did Google’s April 2010 PageRank Update Affect You? =-.

A google blacklisting can severely damage a site’s ability to get any search engine traffic for as long as 6 to 12 months. Its a serious issue and if this happens the site owner can either register a new domain or choose to ride the wave and promote the site through community building activities until google lifts the ban. Its not just google alone but Bing may also blacklist.

Thank you for sharing these 10 tips. I’m pretty familiar with some of it but 2,3,4 are new ideas to try. Two of my blogs had been hacked and it has been a hassle in my part to set it up and pull things out together again. I’ve learned my lesson and prevention is definitely better than setting up my blog again.

I totally posted this in the wrong article last night, so now i’m reposting it in the right one. This in regards to securing the wp-admin directory…

I’ve been using your site to configure my WordPress CMS (yeah I know, I’m asking for it) but can’t figure out why this code doesn’t work. I use .htaccess files in other directories just fine, but for some reason when I put this code in with my home IP address I always get a 500 error when attempting to access the admin side of things. Any ideas?